To:
keydist@cafax.se
From:
RJ Atkinson <rja@extremenetworks.com>
Date:
Thu, 17 Jan 2002 14:35:46 -0500
In-Reply-To:
<200201171829.g0HITgi22617@astro.cs.utk.edu>
Sender:
owner-keydist@cafax.se
Subject:
Re: problem statements...
It seems to me that the needs are: - distribution of public keys (preferably also "signed keys" or "public key certificates"). - ability to authenticate the binding of a given public key with the identity the key is associated with. If one distributes signed public keys (whether or not formally 'certificates'), then one can use signature validation to authenticate the (key, identity) binding. It is NICE if a given certificate/signed-key can have multiple authenticating signatures bound to it -- because that increases the probability of someone having knowledge of at least one of the keys useful for signature verification. However, whether or not one uses DNS, I don't think there is ANY way to get around the need to configure at least one public key (e.g. a key used for signature/certificate validation) manually on a device. (and I'm not being super-precise with terminology here, so be gentle :-) Ran rja@inet.org